Description
After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s).
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.15.6
- Patched version(s): 5.15.8
References
Related Issues
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Quill is vulnerable to XSS via HTML export feature - CVE-2025-15056
- Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter - CVE-2025-58179
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 19, 2025